Oracle Borrows Security Notice Method from Microsoft

Borrowing a page directly from Microsoft’s playbook, Oracle has implemented an advance notice mechanism for its quarterly release of security patches.

Beginning with the first CPU (Critical Patch Update) for 2007, due on Jan. 16, the database server giant is implementing a CPU Pre-Release Announcement that includes the name of version numbers of Oracle products affected by patches, a total count of vulnerabilities being fixed and a severity score for the most serious product flaws.

Microsoft started offering advance notice on its monthly security bulletins in late 2003, but when word leaked out it was only available for premium customers, the company expanded the mechanism to provide the pre-patch overview to everyone.

Now, Oracle is following suit as part of a larger attempt to improve its highly criticized security response and patch release process. It is also going a step further by providing more details than Microsoft, including the specific product components affected, the actual vulnerability count and “any other information that may be relevant to help organizations plan for the application of the CPU in their environment.”

According to Duncan Harris, senior director of security assurance at Oracle, the new mechanism is aimed at helping customers plan for patch testing and deployment when the updates are eventually shipped.

“While Oracle will try to make CPU Pre-Release Announcements as accurate as possible at the time of their publication, the information they contain may change before the actual publication of the CPU,” Harris said in a blog entry.

Click here for more on how Oracle is trying to improve its security alerts.

“It is our hope that these Pre-Release Announcements will become valuable tools to help security professionals analyze the criticality of the forthcoming CPUs and brief their management to obtain any necessary approvals for a timely application of the CPUs,” he added.

On Jan. 16, Oracle will ship a mega CPU with fixes for 52 vulnerabilities affecting a wide range of database and application server products. The highest CVSS (Common Vulnerablity Scoring System) base score of vulnerabilities across all products is 7.0.

Check out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraine’s eWEEK Security Watch blog.